Cedric Blancher wrote:
Le mar 01/04/2003 à 19:34, Eric Marchionni a écrit :
does anybody know how to drop packets with destination-port 80 after a limit of connections has been reached? i'd like to deny access for the attacker as soon as a cgi-scan has been detected.
| # limit the nr of parallel http requests to 16 per class C sized | # network (24 bit netmask) | iptables -p tcp --syn --dport 80 -m iplimit --iplimit-above 16 \ | --iplimit-mask 24 -j REJECT
I think it exactly fits your needs ;)
this sounds already pretty good!
as far as i understand this will result in a slowdowned scan.
if somehow possible i'd like to abort the scan at all. like
denying any connection from the attackers ip for about 1 minute or so...
(i know it's dangerous if someone begins spoofing google-ip or
my dns-server-ip with a cronjob, but this would only affect the
web-server...)
else i'll use iplimit ;-D
-eric
